prepare support configuring https

2016-10-14 17:13:15 +08:00 · 2016-10-14 17:13:15 +08:00 · 86daa51c1e
parent d0d6a8418b
commit 86daa51c1e
5 changed files with 140 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,8 @@ Deploy/config/ui/env
 Deploy/config/ui/app.conf
 Deploy/config/db/env
 Deploy/config/jobservice/env
+Deploy/config/nginx/nginx.conf
+Deploy/config/nginx/cert/*
 Deploy/ui/harbor_ui
 Deploy/jobservice/harbor_jobservice
 ui/ui
--- a/Deploy/harbor.cfg
+++ b/Deploy/harbor.cfg
@ -86,4 +86,10 @@ crt_organization = organization
 crt_organizationalunit = organizational unit
 crt_commonname = example.com
 crt_email = example@example.com
+
+
+#The path of cert and key files for nginx, they are applied only the protocol is set to https
+ssl_cert = /path/to/server.crt
+ssl_cert_key = /path/to/server.key
+#############
 #####
--- a/Deploy/prepare
+++ b/Deploy/prepare
@ -8,6 +8,7 @@ import os
 import sys
 import argparse
 import subprocess
+import shutil
 from io import open

 if sys.version_info[:3][0] == 2:
@ -21,6 +22,19 @@ if sys.version_info[:3][0] == 3:
 def validate(conf): 
    if len(conf.get("configuration", "secret_key")) != 16:
        raise Exception("Error: The length of secret key has to be 16 characters!")
+    protocol = rcp.get("configuration", "ui_url_protocol")
+    if protocol == "https":
+        if not rcp.has_option("configuration", "ssl_cert"):
+            raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
+        cert_path = rcp.get("configuration", "ssl_cert")
+        if not os.path.isfile(cert_path):
+            raise Exception("Error: The path for certificate: %s is invalid" % cert_path)
+        if not rcp.has_option("configuration", "ssl_cert_key"):
+            raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
+        cert_key_path = rcp.get("configuration", "ssl_cert_key")
+        if not os.path.isfile(cert_key_path):
+            raise Exception("Error: The path for certificate key: %s is invalid" % cert_key_path)
+

 parser = argparse.ArgumentParser()
 parser.add_argument('-conf', dest='cfgfile', default = 'harbor.cfg',type=str,help="the path of Harbor configuration file")
@ -37,7 +51,8 @@ rcp.readfp(conf)
 validate(rcp)

 hostname = rcp.get("configuration", "hostname")
-ui_url = rcp.get("configuration", "ui_url_protocol") + "://" + hostname
+protocol = rcp.get("configuration", "ui_url_protocol")
+ui_url = protocol + "://" + hostname
 email_server = rcp.get("configuration", "email_server")
 email_server_port = rcp.get("configuration", "email_server_port")
 email_username = rcp.get("configuration", "email_username")
@ -65,6 +80,9 @@ ldap_scope = rcp.get("configuration", "ldap_scope")
 db_password = rcp.get("configuration", "db_password")
 self_registration = rcp.get("configuration", "self_registration")
 use_compressed_js = rcp.get("configuration", "use_compressed_js")
+if protocol == "https":
+    cert_path = rcp.get("configuration", "ssl_cert")
+    cert_key_path = rcp.get("configuration", "ssl_cert_key")
 customize_crt = rcp.get("configuration", "customize_crt")
 crt_country = rcp.get("configuration", "crt_country")
 crt_state = rcp.get("configuration", "crt_state")
@ -108,15 +126,31 @@ ui_conf = os.path.join(config_dir, "ui", "app.conf")
 registry_conf = os.path.join(config_dir, "registry", "config.yml")
 db_conf_env = os.path.join(config_dir, "db", "env")
 job_conf_env = os.path.join(config_dir, "jobservice", "env")
-
-conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env ]
+nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
+cert_dir = os.path.join(config_dir, "nginx", "cert") 
+conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env, nginx_conf, cert_dir ]
 def rmdir(cf):
    for f in cf:
-        if os.path.exists(f):
-            print("Clearing the configuration file: %s" % f)
-            os.remove(f)
+        if os.path.isdir(f):
+            rmdir(map(lambda x: os.path.join(f,x), os.listdir(f)))
+        elif os.path.exists(f) and os.path.basename(f) != ".gitignore":
+                print("Clearing the configuration file: %s" % f)
+                os.remove(f)
 rmdir(conf_files)

+if protocol == "https":
+    target_cert_path = os.path.join(cert_dir, os.path.basename(cert_path))
+    shutil.copy2(cert_path,target_cert_path)
+    target_cert_key_path = os.path.join(cert_dir, os.path.basename(cert_key_path))
+    shutil.copy2(cert_key_path,target_cert_key_path)
+    render(os.path.join(templates_dir, "nginx", "nginx.https.conf"),
+            nginx_conf,
+            ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)),
+            ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path)))
+else:
+    render(os.path.join(templates_dir, "nginx", "nginx.http.conf"),
+        nginx_conf)
+
 render(os.path.join(templates_dir, "ui", "env"),
        ui_conf_env,
        hostname=hostname,
--- a/Deploy/templates/nginx/nginx.http.conf
+++ b/Deploy/templates/nginx/nginx.http.conf
@ -0,0 +1,75 @@
+worker_processes auto;
+
+events {
+  worker_connections 1024;
+  use epoll;
+  multi_accept on;
+}
+
+http {
+  tcp_nodelay on;
+
+  # this is necessary for us to be able to disable request buffering in all cases
+  proxy_http_version 1.1;
+
+
+  upstream registry {
+    server registry:5000;
+  }
+
+  upstream ui {
+    server ui:80;
+  }
+
+
+  server {
+    listen 80;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    location / {
+      proxy_pass http://ui/;
+      proxy_set_header Host $$host;
+      proxy_set_header X-Real-IP $$remote_addr;
+      proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+      
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      proxy_set_header X-Forwarded-Proto $$scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+
+    location /v1/ {
+      return 404;
+    }
+
+    location /v2/ {
+      proxy_pass http://registry/v2/;
+      proxy_set_header Host $$http_host;
+      proxy_set_header X-Real-IP $$remote_addr;
+      proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+      
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      proxy_set_header X-Forwarded-Proto $$scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+
+    }
+
+    location /service/ {
+      proxy_pass http://ui/service/;
+      proxy_set_header Host $$host;
+      proxy_set_header X-Real-IP $$remote_addr;
+      proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+      
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      proxy_set_header X-Forwarded-Proto $$scheme;
+      
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+  }
+}
--- a/Deploy/templates/nginx/nginx.https.conf
+++ b/Deploy/templates/nginx/nginx.https.conf
@ -24,11 +24,11 @@ http {

  server {
    listen 443 ssl;
-    server_name harbordomain.com;
+#    server_name harbordomain.com;

    # SSL
-    ssl_certificate /etc/nginx/cert/harbordomain.crt;
-    ssl_certificate_key /etc/nginx/cert/harbordomain.key;
+    ssl_certificate $ssl_cert;
+    ssl_certificate_key $ssl_cert_key;
  
    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.1 TLSv1.2;
@ -44,12 +44,12 @@ http {

    location / {
      proxy_pass http://ui/;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $$http_host;
+      proxy_set_header X-Real-IP $$remote_addr;
+      proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
      
      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
-      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Proto $$scheme;

      proxy_buffering off;
      proxy_request_buffering off;
@ -61,12 +61,12 @@ http {

    location /v2/ {
      proxy_pass http://registry/v2/;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $$http_host;
+      proxy_set_header X-Real-IP $$remote_addr;
+      proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
      
      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
-      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Proto $$scheme;

      proxy_buffering off;
      proxy_request_buffering off;
@ -75,12 +75,12 @@ http {

    location /service/ {
      proxy_pass http://ui/service/;
-      proxy_set_header Host $http_host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $$http_host;
+      proxy_set_header X-Real-IP $$remote_addr;
+      proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
      
      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
-      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Proto $$scheme;

      proxy_buffering off;
      proxy_request_buffering off;
@ -88,7 +88,7 @@ http {
  }
    server {
      listen 80;
-      server_name harbordomain.com;
-      rewrite ^/(.*) https://$server_name:443/$1 permanent;
+      #server_name harbordomain.com;
+      return 301 https://$$host$$request_uri;
  } 
 }